Oracle GoldenGate is a product widely adopted by multiple well-known companies. The strategic position of where this software is installed together with the data handled by it increase the severity of remotely exploitable vulnerabilities such the one described in this document.

The software is compatible with multiple platforms such as Windows, Linux, Solaris and AIX. The version affected by these security issues are 11.2 and 12.1.2.

The following document describes a scenario in which the software is installed on a Windows Server 2008 R2 64bit machine with Oracle Database 12c and Windows Firewall configured to allow traffic on TCP port 7809 and 7819.

The affected service is called GoldenGate Manager and is the software that starts Oracle GoldenGate processes, collector processes, perform trail management and more. It runs by default with SYSTEM privileges.
Since the vulnerability exists within the logics of the application, no security mechanisms such as DEP, ASLR or similar can mitigate the issue.

Basically an attacker has the possibility to send files to the Manager service without any form of authentication or authorization. To do this the malicious user needs to:

Obtain the GoldenGate suite of executables (installation is not necessary), which includes the Manager software and the executable called “ggsci.exe”; or

Interact directly with the remote server communicating with its custom protocol.
This document describes the latter technique.

The file upload technique is composed of two different stages: the first instruct the server to open the (normally) closed TCP port 7819 and wait for a data stream, while the second actually sends the desired data to the target system specifying the destination path for the uploaded file.

To issue the first command an attacker must forge a packet with the following contents:

As an example, the following is a data stream captured during a normal file exchange communication between two instances of GoldenGate:

Since any file name, path and content can be provided to the remote server and since the service is running under the privileges of SYSTEM, any system file, DLL or batch script can be overwritten to gain remote control of the target machine.

Detection and Mitigations Guidance

The attack is carried over a custom protocol. The recommendation is to apply immediately the patch released by the vendor.
Malicious requests can be difficult to detect since remote file transfers are part of the functionality of the software. Limitations can be however put in place by analyzing the file name and path during an upload procedure. Usually legitimate file exchanged between GoldenGate instances do not have extensions and are named following the rule:

First 2 characters defined by the operator

A sequential number starting from 0 with 6 digits (padding with 0s)

e.g. ac000001 or gh000042.

By forcing the last 6 characters to be numeric and preventing the upload on particular dangerous folders (system or web folders as an example), the major of attacks can be mitigated.

Summary

Remote command execution that targets the versions of Oracle GoldenGate 11.2 and 12.1.2 on each of the operating systems supported.

All the vulnerabilities can be triggered remotely by an attacker that has access to TCP ports 7809 and 7819 (with default settings) on the target server.